I had more or less the same problem, but with the avg antivirus, it can't
detect a virus that collapse the network attacking other windows in the port
445, in our case windows xp.
In our case the virus was a .dll and runs explorer.exe to conect the
network.
We cleaned it with stinger:
http://vil.nai.com/vil/stinger/
you can try it.
I wish it will be useful to you.
----- Original Message -----
From: "Ted August" <taugust04 at gmail.com>
To: <list at lists.dshield.org>
Sent: Saturday, October 23, 2004 9:08 PM
Subject: [Dshield] Possible virus/worm?
> Hello everyone,
>> I am new to this list, but I have been google-ing all day and have not
> been able to find anything to my answers so far. Our network was
> recently hit with a new worm/virus that has not been detected by
> Symantec AV Corporate.
>> The symptoms are as follows:
>> 1. Creates a file called "quiktime32.exe" (note the mis-spelling) in
> c:\%systemroot%\system32.
> 2. Creates a service called "QuickTime Player" that cannot be
> disabled or stopped from the Computer Management Console.
> 3. Generates a ton of traffic on port 445.
>> One of our network admins believes that this is a new variant of
> Sasser, but otherwise we have been unsuccessful in diagnosing the
> problem. It seems to have only hit mostly Windows 2000 computers on
> our network.
>> If anyone else having the same problem, and could provide some
> feedback as to what this is, it would be much appreciated. We did
> submit the file to Symantec but haven't heard back yet.
>> Thanks!
>> Ted August
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
>> _______________________________________________
> send all posts to list at lists.dshield.org> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>